[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Limiting environment use for setuid/setgid programs only?
|
From: |
Thomas Dickey |
|
Subject: |
Re: Limiting environment use for setuid/setgid programs only? |
|
Date: |
Mon, 17 Apr 2023 18:23:35 -0400 |
On Sat, Apr 15, 2023 at 10:29:38AM +0200, Sven Joachim wrote:
> The ramifications of CVE-2023-29491 can be limited by configuring
> ncurses with --disable-root-environ. However, this disables all use of
> the ncurses environment variables by the superuser which has the
> potential to break scripts and makefiles.
Revisiting this - what scripts are setting $TERMINFO (or $TERMINFO_DIRS)
that root should pay attention to?
(makefiles don't _need_ environment variables)
These pathnames are addressed by the --disable-root-environ option:
TERMINFO
TERMINFO_DIRS
as well as these (not used in Debian):
TERMCAP
TERMPATH
> Would it be possible to add a new option that only limits environment
> use for setuid/setgid programs, like the --disable-root-access behavior?
It's possible,
But I don't see why root should be more permissive than a setuid program :-)
--
Thomas E. Dickey <dickey@invisible-island.net>
https://invisible-island.net
signature.asc
Description: PGP signature